Steganography in Filesystem Metadata

Digital Investigation 18 (2016) S76eS86

Contents lists available at ScienceDirect

Digital Investigation

journal homepage: www.elsevier.com/locate/diin

DFRWS USA 2016 d Proceedings of the 16th Annual USA Digital Forensics Research Conference Time is on my side: Steganography in ﬁlesystem metadata

* Sebastian Neuner a, , Artemios G. Voyiatzis a, Martin Schmiedecker a, Stefan Brunthaler a, Stefan Katzenbeisser b, Edgar R. Weippl a a SBA Research, Vienna, Austria b Technische Universitat€ Darmstadt, Germany

abstract

Keywords: We propose and explore the applicability of file timestamps as a steganographic channel. Digital forensics We identify an information gap between storage and usage of timestamps in modern Data hiding operating systems that use high-precision timers. Building on this, we describe a layered Steganography design of a steganographic system that offers stealthiness, robustness, and wide applica- Storage forensics bility. The proposed design is evaluated through theoretical, evidence-based, and experi- File system forensics fi Real-world data corpus mental analysis for the case of NTFS using datasets comprising millions of les. We report a proof-of-concept implementation and confirm that the embedded information is indis- tinguishable from that of a normal filesystem use. Finally, we discuss the digital forensics analysis implications of this new information-hiding technique. © 2016 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

Introduction strategic corporate information during transmission (Cox et al., 2007). The need for protected information exchange and stor- Numerous steganographic techniques have been pro- age in the digital world is constantly increasing. Crypto- posed and analyzed in the research literature (Zielinska graphic techniques can provide information confidentiality, et al., 2014). The analysis focuses on criteria such as the authenticity, and integrity. However, they do leave evi- achieved secrecy on specific application scenarios, the dence of the information exchange. steganographic channel capacity, and the information Steganographic techniques are able to hide the exis- channel utilization. tence of information passing through communication Storage or format-oriented steganographic techniques channels or resting in storage media for later access. These hide information in logical channels by utilizing redundant techniques are useful in a wide range of real-world sce- or unused fields in format specifications. This includes, narios, including but not limited to: circumventing among others, the master boot record (MBR) of non- censorship and restrictions imposed by governments and bootable hard disks and the unused disk space caused by other adversaries (Akgül and Kırlıdog; Anderson, 2012), the misalignment of hard disk sector size and file size assisting whistleblowers when disclosing documents (Khan et al., 2011). (Greenwald, 2014), and supporting businesses to protect Modern filesystems support a wealth of operations that span beyond the primitive of mapping files into sequences of hard disk sectors. The filesystem specifications define additional data structures (i.e., “metadata”) to describe in- * Corresponding author. formation like the owner, the access permissions, and the E-mail addresses: [email protected] (S. Neuner), avoyiatzis@ date and time when important file events took place. sba-research.org (A.G. Voyiatzis), [email protected] (M. Schmiedecker), [email protected] (S. Brunthaler), In this paper, we propose and explore, to the best of our [email protected] (S. Katzenbeisser), knowledge for the first time in literature, the applicability [email protected] (E.R. Weippl). http://dx.doi.org/10.1016/j.diin.2016.04.010 1742-2876/© 2016 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/ licenses/by-nc-nd/4.0/). S. Neuner et al. / Digital Investigation 18 (2016) S76eS86 S77 of filesystem timestamps as a steganographic channel. More steganographic protocols are feasible, we are still lacking specifically, we make the following contributions: functional implementations and widespread use of such tools (Hopper et al., 2009). 1. We analyze the granularity of the timestamps that A second line of research focused on embedding unob- modern filesystems implement, and we evaluate their servable information within the contents of stored files, applicability for steganographic applications. introducing undetectable degradation of multimedia 2. We propose the use of timestamps as a means to hide quality (e.g., manipulating the low-significance bits of pixel information in NTFS and other filesystems with sub- representation in images (Bailey and Curran, 2006)), the second timestamp granularity. color palettes in GIF images (Fridrich and Du, 2000), or 3. We describe a system design and a proof-of-concept (possibly) encoding information in YouTube videos that implementation that support different levels of look like static snow (Williams, 2015). possible capacity to securely hide data on NTFS volumes. 4. We validate the proposed system using real-world and Filesystems synthetic datasets, and we show that the embedded steganographic information cannot be distinguished A plethora of different filesystems is available, including from the information produced by normal filesystem FAT and NTFS for Microsoft-Windows-based devices, ext4 operations. and btrfs for GNU/Linux systems, and HFSþ for Apple OS X 5. We discuss the digital forensics implications of this new and iOS devices.1 Most of them store different artefacts at steganographic method. various levels of granularity and detail, collectively known as “filesystem metadata”. The rest of this paper is organized as follows: Section Filesystem metadata can be classified in five categories: (Background) provides a literature review on steganog- file system, application, file name, content, and generic met- raphy with emphasis on storage artefacts. Section adata (Carrier, 2005). File system metadata are information (Timestamps in modern filesystems) analyzes the use of on how the filesystem is to be read and where the impor- timestamps on modern filesystems. Section tant data structures reside. Application metadata are in- (Steganography based on file timestamps) proposes a novel formation useful for the application utilizing the filesystem, steganographic channel based on file timestamps. Section such as the file owner and the file access permissions. File (Evaluation of the TOMS system) evaluates the security of name metadata are information for the human-readable the proposed system. Section (Experimental system names mapping to logical data locations. Content meta- validation) describes a proof-of-concept implementation data are information about the logical addressing of the aiming at NTFS filesystems. Section (Implications for files, the file allocation status, and the actual data of the forensics analysis) discusses the implications on the digi- files. Generic metadata are information mostly used inter- tal forensics process. Finally, Section (Conclusions and nally by the filesystem for its operations. This includes in- future work) concludes the paper and presents the future formation such as the timestamps of various events in the directions of our work. lifecycle of a file.

Steganography using ﬁlesystem metadata Background The topic of hiding data in ﬁlesystem metadata was Data hiding heavily discussed in the late 1990s (Anderson et al., 1998). Back then, export restrictions on the use of strong crypto- Early works on digital steganography focused on hiding graphic algorithms outside the USA were in place, and there data in the clear, deriving and discussing different methods was an increased concern by the public regarding key of embed